When a network user is carrying out network behaviors, illegal intruders usually intrude private space of the network user via network attacks so as to acquire private information of the network user, resulting in private information leakage of the network user. Therefore, when a user is surfing on Internet, it is required to detect network attacks, so as to prompt the user to prevent private information leakage when attacks are detected.
A network intrusion detection system based on string matching is proposed in “Snort: Lightweight Intrusion Detection for Networks” by Martin Roesch in 1999. In this network intrusion detection system, an attack can only be detected depending on whether a single intercepted network packet includes certain character feature or whether some certain ports are open. Furthermore, in this network intrusion detection system, it is impossible to consider an attack as a process, which leads to a high false negative rate and a high false positive rate.
In order to identify an attack as a process, there have been proposed some detection methods and systems based on events, in which attack behaviors are classified into types of “presence”, “sequence” and “partial order” (see S. Kumar and E. H. Spafford, “Pattern Matching Model for Misuse Intrusion Detection”, Proc. Of the 17th National Computer Security Conference, 1994), attack rules are written with procedural language or descriptive language, and variables are used to maintain status, allowing efficient identification of network attack behaviors.
However, in case of writing in procedural language (see W. Lee, C. Park and S. Stolfo, “Automated Intrusion Detection using NFR: Methods and Experiences”, USENIX Intrusion Detection Workshop, 1999; and V. Paxson, “Bro: A System for Detection Network Intruders in Real-time”, USENIX Security Symposium, 1998), since attack rules are described in procedural language, rule developers have to understand execution mechanism of the language itself thoroughly when developing attack detection rules, which makes it very difficult or even infeasible to develop protocol level detection modules and attack rules through cooperation by dozens or up to nearly one hundred of people.
While in case of writing in descriptive language (see R Sekar, Y Guang, S Verma, T Shanbhag, “High-Performance Network Intrusion Detection System”, ACM Conference On Computer and Communications Security, 1999), since the descriptive language is based on regular grammars, expressional ability is limited. Furthermore, since the detection mechanism of regular grammars is a finite automaton with very weak support for hierarchical processing capability required by protocol parsing. Thus it is not applicable to protocol parsing.
In the patent with grant No. CN101060396B (the corresponding U.S. Pat. No. 7,913,304), entitled “Event Detection Method and Device”, an event detection method with protocol hierarchical description capability is proposed. In this method, detection rules for events are preset using predicative context-free grammar. The preset detection rules are resolved to generate a parsing table for a pushdown automaton. The parsing table supports parallel parsing. Then, the received events are parsed with the generated parsing table to obtain detection results. Here, when generating the parsing table of the pushdown automaton, first of all, the protocol rules and attack rules are resolved to obtain a syntax tree. Then, item sets of the predicative context-free grammar are generated with predicative LR(0) generating algorithm. Next, the item sets are transformed into a corresponding parsing table of a pushdown automaton, and the parsing table includes an action table ACTIION and a jump table GOTO. The above application is incorporated into the present application in its entirety by reference. In this method, instead of specific protocol command, an event concept is used to detect attacks, which makes it possible to divide the development of intrusion detection system into three independent parts (event parsing engine development, protocol parsing development and attack detection rule development) for separate implementation, wherein each part may be expanded independently without influencing other parts, thus improving system's extendibility. Further, with this method, hierarchy of complex applications may be described, which enhances the capability of describing network attacks and increases attack detection efficiency.
However, in practice of intrusion detection system, it is often necessary to have software modules distributed in different processes (or threads) cooperate with each other. As shown in FIG. 1, software modules A1, A2 and A3 are distributed in different processes P1, P2 and P3. Software module A1 receives an outside event to be detected, it then needs to pass the event to A2 and further pass it to A3 for processing if necessary, thus sophisticated attacks can be detected. In such case, the grammar G may be divided into several sub-grammars, such as G1, G2 and G3. Then, each software module is only responsible for one sub-grammar, and cooperation among various software modules is ensured with the distributed grammar system.
In such a system, it is not only required to define protocol rules and attack rules within individual grammar parser modules, but also to define cooperation relationship among various grammar parser modules, that is, to define when to call which grammar parser module for grammar parsing processing. While in the event detection method based on predicative context-free grammar that proposed in the above-mentioned patent with grant No. CN101060396B, it is only possible to define events and relationship among events within one software module and it's impossible to describe event relationship among independent executive entities, which makes this method not applicable to the above described distributed environment.